Because an FTC cease and desist order contained no prohibitions, but merely commanded a company to overhaul and replace its data-security program to meet an unstated standard of reasonableness, the order was unenforceable, held the U.S. Court of Appeals in Atlanta. Following a data security breach of consumer personal information, the FTC brought an enforcement action against LabMD, alleging that its failure to implement reasonable security practices was an unfair act or practice under FTC Act Section 5(a). In the resulting cease and desist order, the FTC required LabMD to implement a data security program that met the FTC’s standard of reasonableness. LabMD argued that the order did not direct it to cease committing an unfair act or practice within the meaning of Section 5(a). The court agreed, finding that because the order did not enjoin a specific act or practice, it had no specific standard that would allow a court to determine whether LabMD had violated the order. Therefore, the order was unenforceable (LabMD, Inc. v. FTC, June 6, 2018, Tjoflat, G.).

Background. Sometimes in 2005, an employee of LabMD installed a peer-to-peer file sharing application on her work computer, in violation of LabMD’s security policy. A data security company was able to use the peer-to-peer software to download other files from the employee’s machine, including a file with the personal information of more than 9,000 consumers. The data security company offered its services to LabMD. LabMD declined and removed the peer-to-peer software from the employee’s computer. In 2009, the data security company delivered the file with consumer data to the FTC. The FTC issued a complaint against LabMD, but the complaint did not allege practices LabMD had engaged in, rather, data security measure that it had failed to perform. LabMD asserted that the FTC had no authority to regulate how it handled personal information stored on its network.

Following a trial in front of an administrative law judge, in which the ALJ found that the FTC failed to prove that LabMD had committed unfair acts or practices, the FTC appealed to the full Commission, which reversed the ALJ’s decision. The FTC issued a cease and desist order to LabMD, directing LabMD to create and implement a variety of broad protective data security measures. LabMD petitioned the court to vacate the order, arguing that the cease and desist order was unenforceable because it did not direct the company to cease committing an unfair act or practice within the meaning of Section 5(a).

Unfair act or practice. The court first considered whether LabMD’s failure to design and implement a reasonable data security program was an unfair act or practice under Section 5(a). The FTC argued that it was, because the failure caused substantial injury to consumers’ right of privacy. Although the FTC did not cite the source of the unfairness, the court determined that the FTC had based its decision using the common law of negligence as the established policy creating a standard for unfairness. In other words, the law of negligence is a source that provides a standard for determining whether an act or practice is unfair. Therefore, a corporation that negligently infringes the consumer interest against unintentional invasion may be held accountable under Section 5(a). The court declined to decide the issue, but assumed it to be true so that it could address LabMD’s second argument regarding whether the cease and desist order was enforceable.

Enforceability of cease and desist order. The court reviewed the FTC’s options for litigating an unfair act or practice. The FTC may choose to litigate the issue in front of an ALJ (resulting in a cease and desist order) or before a federal district judge (resulting in an injunction). If a cease and desist order is violated, the FTC would bring a civil penalty action in federal district court. If an injunction is violated, the FTC may invoke the district court’s civil contempt power. But while the FTC Act does not address what content must go into a cease and desist order, the prohibitions in such an order would need to be clear and precise for a district court to impose civil penalties for violation. Similarly, specificity would be required in an injunction.

The court found that the cease and desist order contained no prohibitions, it merely commanded LabMD to overhaul and replace its data-security program to meet an unstated standard of reasonableness. That command is unenforceable, because it would be unenforceable if the FTC sought enforcement of the order by a district court. Because the order did not enjoin a specific act or practice, but required LabMD to implement a "reasonably-designed" security program, it had no specific standard that would allow a court to determine whether LabMD had violated the order. And to find a violation, the court would need to modify the cease and desist order to include the implementation of specific practices, effectively managing the company’s overhaul of its data security program. Because the order would be unenforceable under a district court’s contempt power, and the standards governing the coercive enforcement of injunctions and cease and desist orders are the same, the order was unenforceable.

Interested in submitting an article?

Antitrust Law Daily: Breaking legal news at your fingertips

Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on antitrust legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.

Create a PasswordPlease enter a PasswordYour password must be at least 6 characters longNo validation was done for leading or trailing spaces in password.

Yes, I would like to create an account.

I consent to the collection of my personal information by Wolters Kluwer Legal & Regulatory U.S., operated through CCH Incorporated and its affiliate Kluwer Law International, so that I can create an account to store my contact information and order history to facilitate ecommerce transactions. I understand that my personal information will be processed for this purpose in the United States where CCH Incorporated operates.

You may change or withdraw your consent at any time by contacting our Customer Service team at +1-301-698-7100 or [email protected]. For more information about our privacy practices, please refer to our privacy statement: www.WoltersKluwerLR.com/privacy.

Online subscription product purchases require that you create an account.

Email Address
This field is required
Please Type Valid Email Address
Email Address has a minimum length of 0.
Company
This field is required
Country
This field is required

Yes, send me information on similar products and content from Wolters Kluwer.

I consent to the collection of my personal information by Wolters Kluwer Legal & Regulatory U.S., operated through CCH Incorporated and its affiliate Kluwer Law International, so that I can be contacted about similar product(s) and content. I understand that my personal information will be processed for this purpose in the United States where CCH Incorporated operates. Additionally, if the products being inquired about are fulfilled by Kluwer Law International, my personal information will be shared with Kluwer Law International and processed in the Netherlands or the United Kingdom where it operates.

You may change or withdraw your consent at any time by contacting our Customer Service team at +1-301-698-7100 or [email protected]. For more information about our privacy practices, please refer to our privacy statement: www.WoltersKluwerLR.com/privacy.

Thank you!

We apologize!

Interested in submitting an article?

First Name
This field is required

Last Name
This field is required

Email Address
This field is required
Please Type Valid Email Address
Area of Expertise
This field is required
Article Idea for Consideration
This field is required

Yes, send me information on similar products and content from Wolters Kluwer.

I consent to the collection of my personal information by Wolters Kluwer Legal & Regulatory U.S., operated through CCH Incorporated and its affiliate Kluwer Law International, so that I can be contacted about similar product(s) and content. I understand that my personal information will be processed for this purpose in the United States where CCH Incorporated operates. Additionally, if the products being inquired about are fulfilled by Kluwer Law International, my personal information will be shared with Kluwer Law International and processed in the Netherlands or the United Kingdom where it operates.

You may change or withdraw your consent at any time by contacting our Customer Service team at +1-301-698-7100 or [email protected]. For more information about our privacy practices, please refer to our privacy statement: www.WoltersKluwerLR.com/privacy.

Success

We appologize

Request a Trial

Thank you for your interest in a free trial! We look forward to connecting with you.

First Name
This field is required

Last Name
This field is required

Email Address
This field is required
Please Type Valid Email Address
Phone Number
This field is required
Title (Optional)Company Name
This field is required
Organization Type
This field is required
Country
This field is required
State or Province
This field is required

Yes, send me information on similar products and content from Wolters Kluwer.

I consent to the collection of my personal information by Wolters Kluwer Legal & Regulatory U.S., operated through CCH Incorporated and its affiliate Kluwer Law International, so that I can be contacted about similar product(s) and content. I understand that my personal information will be processed for this purpose in the United States where CCH Incorporated operates. Additionally, if the products being inquired about are fulfilled by Kluwer Law International, my personal information will be shared with Kluwer Law International and processed in the Netherlands or the United Kingdom where it operates.

You may change or withdraw your consent at any time by contacting our Customer Service team at +1-301-698-7100 or [email protected]. For more information about our privacy practices, please refer to our privacy statement: www.WoltersKluwerLR.com/privacy.

Thank you!

We aplogize!

Message Us

Thank you for your inquiry! We look forward to connecting with you.

First Name
This field is required

Last Name
This field is required

Email Address
This field is required
Please Type Valid Email Address
Phone Number
This field is required
Company Name
This field is required
Country
This field is required
Topic (Optional)Account or Invoice Number (Optional)Comments (Optional)

Thank you. We will contact you soon!

We apologize, but we failed to receive this message.

Thank You!

Thank You.

Your request has been forwarded to a Wolters Kluwer representative who will contact you shortly!